Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Eighty-one percent of U.S. government agency domains have now enabled the DMARC email security standard, according to a new report released on July 26 by email security firm Agari.

Domain-based Message Authentication, Reporting and Conformance, or DMARC, includes several technical components that are intended to help protect the integrity and authenticity of email. U.S. government agencies were mandated by the Department of Homeland Security (DHS) to implement DMARC as part of the 18-01 binding operational directive that was announced in October 2017.

"The 81 percent result is fantastic and has blown away our expectations," Patrick Peterson, founder and executive chairman of Agari, told eWEEK.

Further reading

Agari has been tracking the adoption of DMARC by government agencies over the past year. In November 2017, Agari found that DMARC adoption within the U.S. government was at 34 percent of federal agencies. That number grew to 47 percent by December.

DMARC was designed to be deployed in stages, according to Peterson. The first stage, p=none, enables organizations to monitor their email ecosystem, identify authorized third-party senders and tune their DMARC policy before moving to "p=quarantine," which sends messages to the spam folder, and ultimately to "p=reject," which blocks messages completely.

"DMARC p=none is trivial to implement. You could do it in five minutes," Peterson said. "The challenge is to move from 'none' to 'reject' because all unauthenticated email will be rejected by the recipient with a 'reject' policy."

The DHS directive has set Oct. 16 as the deadline for all agencies to not only support DMARC but to enforce a reject policy as well. Agari found that 52 percent of government agencies now support the DMARC reject requirement. Most enterprises have dozens of third-party and cloud services that send email on their behalf, and with DMARC each one of these has to have its email authenticated, Peterson said. He noted that while Agari has helped hundreds of thousands of domains do this successfully, it does require a project and technology change.

"This is extraordinary adoption when compared to the private sector, where only about one-third of the Fortune 500 have a DMARC policy and only 5 percent have moved to reject," Peterson said. "It's great to see the government leapfrogging industry for a change."

Moving to the reject policy from the none DMARC policy is a key challenge, though Peterson noted that in January only 15 percent of executive branch domains were at reject, so there has been incredible traction in moving from none to reject.

"The lesson that enterprises should learn is to just deploy DMARC at p=none and to take their time moving to reject," he said.

It's not clear if full DMARC implementation will be achieved by all government agencies by the deadline. However, overall, government efforts have had a concrete impact on email security, Petersen said.

"One hundred percent adoption of DMARC by the deadline seems unlikely, but that does not mean that agencies will not be in compliance since BOD 18-01 provides an alternative path—agencies can provide DHS with a written plan for their DMARC implementation," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.